Krebs on Security

In-depth security news and investigation

Taking Down Fraud Sites is Whac-a-Mole

I’ve been doing quite a bit of public speaking lately — usually about cybercrime and underground activity — and there’s one question that nearly always comes from the audience: “Why are these fraud Web sites allowed to operate, and not simply taken down?” This post is intended to serve as the go-to spot for answering that question.

Q: Why not take down the hundreds of sites now selling stolen credit cards and identity data?

A: For starters, it’s not always so easy to take these sites offline. Many of them rely on domain name registrars that routinely ignore abuse requests. The same goes for the organizations hosting a number of these unsavory markets. What’s more, most crime shops have a slew of new domain variations at a variety of hosting providers and registrars that they can turn to if they do get shut down.

More importantly, fraud shops don’t often get shut down because they are quite useful to law enforcement, banks and researchers alike. Stolen data that has value among computer crooks will always find a way onto illicit markets; it benefits the aforementioned parties if those markets aren’t so exclusive that the crooks can no longer easily view or buy the data for sale.

As I’ve discussed in several articles, banks and law enforcement often use these services to figure out which merchant has been hacked; to help stanch the flow of new stolen data; and, effectively, stop the breach.

Q: Why are there so many of these card shops hosted in the clear Web, instead of via Tor, I2P or some other anonymization technology that allows the shop to hide its true Internet address?

A: Most card shops sell only a tiny fraction (think single-digit percentages) of the cards they have for sale at any one time. As I noted in the second half of this piece, the thieves in charge of the shop primarily responsible for selling cards stolen from Target and Home Depot only sold a very small percentage of the more than 100 million credit and debit cards they stole from those two companies. Russian computer forensics firm Group-IB found similar single-digit sales figures at swipe[dot]su, a long running card shop that they hacked last year.

In short, stolen cards are not like fine wines: They don’t age well. The minute they are put up for sale, their value starts to decline. And there are many times more stolen cards available than there are crooks to absorb anywhere near double-digit percentages of cards stolen from a given merchant. Hence, it behooves the card vendors to make their shops as accessible and easy-to-use as possible.

Q: How come law enforcement officials can’t just put these guys and others out of business or behind bars for this activity?

A: Occasionally, the proprietors of these card shops do get arrested and jailed. But a great many of the sites are run by individuals living in Russia and Ukraine. Neither nation has shown itself particularly anxious to arrest cyber crooks within its borders, so long as those crooks are mainly picking on targets outside of their home country. Also, cybercrooks based in Russia and Ukraine who don’t steal from their own generally have little to fear from foreign law enforcement and governments provided they don’t travel to Western-friendly nations.

Q: Okay, but can’t we all achieve a certain catharsis from taking these sites offline?

A: Sure, but those fraud sites will be back online before you can say “where’s my debit card.” Most experienced card shops list on their home pages several — if not dozens — of alternate domains that customers can use in the event that the current one gets shut down. While this certainly presents a ripe target list for anyone wishing to take these sites offline, see the answer to the first question above for why this generally gets harder with every successive takedown.

Q: So is there nothing we can do to disrupt these crime shops that isn’t also disruptive to security folk looking to gain intelligence about who’s hacked?

A: Most of the top card fraud shops have redesigned their business models around creating a smoother customer experience. Gone are the days when a serious card shop could ignore customer complaints and still do a brisk and loyal business. It’s all about reputation. Creating a positive customer experience is the key to the way these guys establish legitimacy and loyalty among customers. But interfere with that customer experience — and seller reputation — enough, and that business may very well die on the vine.

This entry was posted on Monday, April 20th, 2015 at 2:57 am and is filed under A Little Sunshine.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

No they usually don’t use fast flux, they just maintain domains that cannot be easily taken down by USA authorities. They also use bullet proof hosting services. USA can easily take down .COM and .NET but not .SU so they use those domains. These sites also sit behind CloudFlare so its not so easy to DDoS them to oblivion.

Why not route the IPs and DNS of the criminal websites to a black hole?
If they are using a cloud provider, this might provide an incentive for the provider to take them down & re-enter non-criminal society.

The criminal cooperation extends through the hosters (the maintainer of the particular IP and DNS networks) — ask Cloudflare Inc as an example (hoster of much badness). CEO Prince has pronounce reason to host network badness. National law enforcement and the national judges aren’t shutting it down — the traffic is being allowing to traverse countries.

It’s one huge cooperative network of badness. Your idea is partially in agreement with my agreement (April 20, 2015 at 9:35 am and April 23, 2015 at 10:14 am, both above) — down the whole national regional network until someone in the other nation decides there’s incentive to make it better.

Heavier fines on the merchant so they take security seriously. Even better, suspend their merchant account until they prove they are secure. But keep in mind you as a customer are rarely (never) responsible for the charges so its no impact to you. Quit complaining unless you want to pay for the higher swipe fees.

Heavier fines would never make merchants take security seriously. People in general wont take security very seriously (those that do are usually labeled as hackers or tin-foil-hat conspiracy theorists). What would happen is a merchant would pursue other means and pass the cost to the consumer. This ‘other means’ will be sold to the merchant as “safe and secure” when it wont be and the merchant will believe it hook-line-and-syncer.

It is definitely a game of whac-a-mole. but the most important things people can do is wise up to what they do with their personal information, learn something about computers, limit or eliminate their social networking, and stop being so gullible. The problem is that anything called “security” is seen as something that someone else is responsible for (wether you are a multi-national company or a single home user).

I find it interesting that we’re talking about “fraud sites” while most web sites are now setup as a mix of all kinds of ‘other sites’ being pulled in. You think your pulling up one site when your really pulling up sixteen sites. But that’s just seen as symantics that represents web2.0 cloud based CDN technology. No one talks about fraud when it comes to the web until five million credit cards get stolen.

I guess you’ve never had your rent cheque bounce because your account was just wiped out, and your bank won’t be refunding you your money for another 3-6 weeks (if they do refund it at all)!!
It’s a reminder that these things do affect the 99%, sometimes in a crippling manner.

I am guessing you paid with a debit card? NEVER do that, never use anything tied to your bank account, its one of the most dangerous things you can do. Only use credit cards where they are not pulled from your bank account. Keep in mind a debit card is NOT a credit card so its on you to prove you didn’t spend something before they return money to your account. Compared to credit cards where you can let the credit card company do all of the work. Plus you get paid to use the credit card, not with the debit card and you lose the interest on the money you could gaining each month with the free 30 day loan from the credit card.

I just want to say I don’t know where you bank but if you have check fraud or debit fraud claims are paid within 10 bus days if you report that right away and not wait months upon months. We ask a series of questions and we paid the fraud claims if the charge post to the acct

Why expect millions of merchants to change their behavior? Wouldn’t it be more effective to expect the card issuers to adopt a better system? It isn’t the merchant’s fault that there is little to no real security on the credit card system. After all, the whole thing is based on a shared secret, which is an oxymoron.

The solution is real security at the transaction level for all transactions online and off. The only way to stop carding shops, is to make the information that can be stolen completely useless. It is completely possible to do this for credit cards, bank account numbers and social security numbers. In any other area of security we readily acknowledge that any information that is communicated openly more than once has no security authentication value.

In truth, the real way to stop it is to aggressively prosecute the people and card-gangs who are buying and using these stolen cards, I’ve had two CC hijackings – each involved thousands of dollars in stolen merchandise – and the local police could not have been more disinterested.

It’s not just police. I was surprised that when I had two cards hijacked from the same gas station and I could be certain of it due to the circumstances, the credit card companies did not care much about knowing the details and they did not care if I filed a police report.

The police can’t do anything because in CA they won’t even take a police report if it’s under a certain dollar amt and as long as the bank refunds you they don’t really care & they would have to get a sopena to get camera footage of someone using the card at the pump

Why not plant some of those programs that encrypt their websites like the ones that hold a users files hostage until they pay for a key to decrypt their computer files? But don’t offer them a key, just leave their sites encrypted.

How do you propose someone do that? Keep in mind the guys running these sites are not idiots. The LAMP stacks they are running on are not vulnerable to things like cryptolocker and the criminals don’t fall for phishing attacks. They are not checking email and surfing the web from their webservers.

Absolutely they can be vulnerable as well but keep in mind these sites are almost always behind a WAF that mitigates attacks. They shield the underlying IP behind a cloud service so you can’t directly attack any other services running on the box that they may have forgotten to firewall off. And they rarely forget to firewall it off anyway, keep in mind these guys are not morons, they know how to secure their sites. And on the topic of a zero day, no one is going to waste their zero day trying to take down a carding site assuming the WAF doesn’t catch it.

Brian et al,
Then based on the last statement by Brian “It’s all about reputation. Creating a positive customer experience is the key to the way these guys establish legitimacy and loyalty among customers. But interfere with that customer experience — and seller reputation — enough, and that business may very well die on the vine.”

…then we CAN stop these things by taking down the sites and making it hard enough for their “customers” to reach them which will ruin their reputation and dry up their business.

Which will force folks to move to fewer sites to buy their illegal wares – perhaps even to government “pwned” sites.

It’s an interesting question, but the “ends” can never justify the “means”. In this case, not serving justice so you can have an easier job in maybe finding “bad guy tracks” does an enormous disservice to everyone else affected.

Reminds me of a person locally I heard about that had video footage of folks who were stealing stuff from his house (for the 3rd time!) yet the police wouldn’t do anything about it until he threatened to take it to the newspapers – apparently the police already well knew the “bad guys” but were trying to tie them to other things – which as I said, was NOT justice to the man whose items were stolen over and over again.

It seem Ukraine could use all the friends it can garner in the West. Maybe they should allow investigators into the country to make arrests directly, and grease the wheels for extradition. I realize they are busy with “NOT” Russian separatists for now; but they need every advantage they can get ASAP!

Personally, I wonder how much of the Ukraine conflict can be traced to Russia desiring a foreign country to offload criminal activity, so they can claim ignorance, even as the profits are funneled to Russia.

If Ukraine were to align itself with the EU, enforcement of EU laws would certainly come as part of the package (or at least be on the horizon, as they move closer to the EU), forcing all the criminals living in the border regions to move back to Russia to continue their activities. At that point a certain measure of their plausible deniability vanishes.

The entire conflict is certainly far more complex than just this, and when taken in a historical context (e.g. Holodomor) there’s a pattern of behavior between the two nations that makes the conflict far more complex… but this has to factor into it to some extent.

It’s incredibly easy to forget that this is all obvious stuff for IT and computer security pro’s working day to day, like us. Think of how naive many of our friends, girlfriends, family, people we care about are when it comes to identity protection and computer security. They are swimming in a pool of sharks without even knowing of the present danger.

The US needs to encourage better computer security and computer safety practices among all citizens… there needs to be some kind of nationwide awareness campaign started on this regard. But you cannot count on the government. Security is, after all, only a concern after the damages have been done.

We are connected to the internet 24/7 thanks to our WiFi and mobile devices. Attacks will only become more and more ruthless as time goes on. Please, educate and train your loved ones on how to protect themselves, their bank accounts, and identity online.

Were the Target and Home Depot breaches the work of slovenly American consumers? They were the result of the nexus of American corporate IT slovenliness and American financial industry slovenliness. Are European, ANZAC, and East Asian (non PRC) individual users so much more tech savvy than American users, that it accounts for the disproportionate ‘victimization’ of the United States in online theft? Let’s see the evidence, please!
This looks like an attempt to divert blame away from the responsible (corporate) parties to individual users, in the guise of benevolent advice.
Of course, it’s a good idea to practice good IT security!

This situation has very little to do with geography (except that there are certain countries more likely to do bad things).

It is so very obvious that there is a serious lack of technological understand combined with apathy across the board. No single nation is immune and this is a global problem. There is not a government that has the desire or capability to fix these things. The fix needs to start with individual users. It is the individual user that is where industrial leader comes from.

The days of the flashing 12:00 being acceptable are gone. Things have changed. Life in this world has changed.

Officer, don’t ticket me for running the red light because it will only make me run a different red light, farther away from the station. And besides, if you ticket me you will lose valuable data on which red lights I am driving through.

Imagine we could apply that policy framework to all sorts of areas…don’t bother inspecting Iran for nukes, it will just make them move them so they would be harder to find.

Yes whac a mole is hard work…is there a problem with it being hard work?

After reading the supposed rationale for letting known fraud continue I am more inclined to the whac a mole approach given I see no reason to allow someone to purchase a stolen card in the states, especially since they are often coupled to zip codes for subsequent fraudulent transactions.

Once,perhaps, but after that we have a pretty good idea of what is what.

On a technical note, I get that CPP is the tool of choice, but do folks understand it is essentially a CRC function, a hashing function? Do folks understand that it is subject to the same types of limitations, namely it is fooled by multi errors/hacks that will sooner or later be exploited?

And has no one in Infosec heard of the fallout of ATBs fast and furious ? Letting fraud go on will come back to bite. I suspect in hindsight , after it bites, folks will say “who would have guessed the unintended consequences of letting fraud sites do business in the states”. Time will tell.

Bottom line, I am less convinced of the wisdom in current policy than before reading Brian’s post.

Their ISP might not care whether anyone complains, but the ISP itself has an upstream provider of some sort. It seems that eventually you will reach someone who is outside of the Ukraine and who would care and would be responsive, and wouldn’t they have the option to block the offending ISP until they shape up?

In my judgment: One of the primary rules of the Internet is openness (all variations from good to bad). The upstream providers will do nothing following the don’t-interfere-with-passing-along-the-traffic under the openness rule; unless there is law enforcement or judicial action. But, since non-Russia or non-Ukraine law enforcement and judicial action won’t touch the sovereign nation of Russia or Ukraine the open traffic flow continues.

To explain how pervasive the open rule is, the parent organization of the IETF (Internet Engineering Task Force), the Internet Society, states its mission is “to promote the open [for good and bad traffic] development, evolution and use of the Internet for the benefit of all people [good to bad] throughout the world”. The whole premise of the Internet structure allows this the way it is being managed today.

I disagree with this openness rule when bad traffic crosses into other sovereign nations and breaks their laws. I say give your voice for change to the protectionist management of passing-along-bad-traffic repeatedly originating from the same networks: Link in prior comment.

Instead of going after the purveyors of stolen cards why not go after their customers? Handle it like they do prostitution, arrest the Johns! Perhaps law enforcement could set up a nice mirror site that is also “very customer friendly”. Some % of these stolen card customers must reside in countries where law enforcement would be able to make arrests. Perhaps a few customers might even reside in the U.S.

In my judgment: Eventually, this sting operation would be labeled as such (the carder to be avoided), or not be allowed to be set up inside a more believable malicious operation. And, it wouldn’t be getting to the diehard malicious operators in say Russia or Ukraine, the malicious go to operation.

Unfortunately, we’ll need a solution for online purchasing (so far, the only one I can imagine is everyone having a reader in their smart phones, and that doesn’t seem like the way we’re going, or not using credit cards for payments — which I liked 10 years ago, but doesn’t seem to be winning).

I have a feeling these pills didn’t come from spam emails, but rather through online adverts for diet pill pushing websites. Ever seen the adverts on webpages that say things such as “find out the amazing all-natural weight loss secret that’s sweeping the nation”?

Great article Brian, but it didn’t answer a question I often find myself asking:

“Who is buying the stolen card details?”

Are we looking in the wrong direction? Could removing the customers be the best way to take these sites down?

I’m still surprised how crooks can gain any large value from stolen cards. I imagine you could clone a card and use it at a cash point (ATM) or store, but you would be on all sorts of CCTV. However, if you make purchases online (and use the correct billing address for the card) the goods still need to be sent somewhere…

who come from a 3rd world country where $2 per day is an average low skill worker salary, and after pooling money between 4 people for a few months, they can purchase everything needed to make clone cards good enough to work in most stores. So they go and purchase items that can be easily unloaded without losing too much of their value.

These guys got caught since they were acting suspicious, with 2 people purchasing bags of goods, relaying those bags to their 2 friends in the same mall, only to rinse and repeat. They were easily profiled, since normal shoppers don’t behave this way, a mistake no professional card thief would ever make.

So I think people like this comprise the customers of fraud websites.

All ideas I heard in the replies and posts here, from infecting crime sites, to taking them down, whack a mole style, is wasted energy. You know what the .SU extension is, Soviet Union.

The domain extension was supposed to be phased out 8 years ago, but Russia ignored them, and that’s that. No agency, private company or country is capable of threatening US, China, Russia, UK, France.

Right now a good portion of Russians think that Obama is training new generation of Neo Nazis headed by former SS members to turn Ukraine into the 4th Reich, since that’s what their news broadcasts on all stations.

So nobody working at a Russian network is gonna help an American or European agency demanding the shutting down of a web company, since even if they tried, they would probably be reminded of treason laws.

Also these people are protected by a ‘roof’, a corrupt high level official who might arrest and even murder any do-gooder trying to get in the way.

Google ‘Hermitage fund Sergei Magnitsky’ to get an idea of the level of lawlessness and corruption there, and within that context, the whack-a-mole strategy is just a waste of time.

“So nobody working at a Russian network is gonna help an American or European agency demanding the shutting down of a web company, since even if they tried, they would probably be reminded of treason laws. ”

There is more than one end to the network connection. It’s somewhat similar to a bad end and a good end. The bad end may be connected/disconnected from the good end, by the networks. Disconnections are seldom enforced by national law enforcement, national judicial judgments, and all. Problem to me is: The connections into say a particular Russia (for example) network (known for whatever law they are breaking if they were in a foreign country, for example) are not being disconnected by the good end networks in say Germany, UK, Bulgaria, Sweden, wherever. The traffic on it’s way to breaking a federal law isn’t staying in Russia, it is networked (connected) to other networks that could disconnect their end (but they won’t or very seldom do). Russia does not control the rest of the Internet good end in other countries.

If you read Spam Nation (I’m almost finished reading it), you’ll see that the Pharm-acies and related crime industries have a huge incentive to weed out stolen cards.

Imagine you have a credit card, and you use it for a transaction, and the merchant messes up. You can go to your card company and complain — they’ll perform a “charge back” — essentially the charge on your account will be voided / refunded, and they’ll pull the funds from the merchant.

If more than 1% of all charges by a given merchant result in charge backs, the credit card network will penalize the merchant — and the penalties are steep and escalate. No merchant wants this. Especially not the Pharm-acies. That industry has developed enough technology to weed out purchases which are probably done using stolen cards.

So, your stolen card information isn’t being used there. Instead, it’s apparently mostly used at “Big Box” stores (e.g. Best Buy) to buy expensive goods which can be resold, or possibly to buy prepaid cards, which are then cashed out.

Nah, Go Credit, Credit only (not debit) and worry not because it’s not you (the consumers) problem to figure out. Worst case you get a card canceled due to compromise and have to wait a few days for the replacement, worst disruption I have ever had.

I wonder if its really that hard to find these sites by a company such as Goggle that is a big filter taking in and analyzing Web pages? During their Web crawl they must popup repeatedly. If you have an automated way to find them you can automate getting them delisted.

If I were a merchant with a little bit of smarts, I would recruit one or more card issuing banks to work with me to set up a honeypot. I’d attract criminals to what they think is yet another retailer with lax security. The crooks would compromise my fake POS terminals running fake transactions. They would steal fake credit card numbers and put them up for sale on some of their websites. And that would destroy their reputations.

There are ways for the good guys to fight back when and if the good guys care enough to do something about this problem.

Even the apathetic will enjoy “Bullseye Breach” and security pros will love it. Brian, you’re sort-of in this book. Check out the book website at http://www.bullseyebreach.com.